User administration - Azure

Register Entra application

Basic application setup

image.png

Create a new application and allow Web URL of http://localhost

image.png

Record Application (client) ID and Directory (tenant) ID for future use. 

 

Click Add a certificate or secret

image.png


Click new secret, and create an entry with required duration and name

image.png

Copy the value.

 

NOTE: you cannot view this value again.

Allow groups for authentication restrictions

image.png

To access group details the API needs Group.Read.All application permission 

image.png

Select Microsoft Graph

image.png

Select delegated permissions and search for group to add Group.Read.All

image.png

Confirm admin consent

Update global settings

You will need the Azure clientid, applicationid and secret from the Azure Application

image.png

Start the Service Scheduler Install / Upgrade wizard on the server

image.png

Click next until the Account Settings page and select "Global"

image.png

Set sso_entra_enabled to 1

 

Add the azure application details to appropriate value clientid, secret and tenantid

Stop service scheduler for prompting for account on login

image.png

To stop the prompt adjust global setting sso_entra_authorize_endpoint

image.png

https://login.microsoftonline.com/%tenantid%/oauth2/v2.0/authorize?client_id=%clientid%&response_type=code&redirect_uri=%redirect_uri%&response_mode=query&scope=%scope%&prompt=select_account

 

Remove the &prompt=select_account to disable.

Limit access to groups / UPN

For groups to work the Microsoft Entra application will need Group.Read.All permission

image.png

Start the Service Scheduler install and upgrade wizard

image.png

Select settings

image.png

Locate the settings sso_entra_allow_groups and sso_allow_upn_suffix

image.png

To limit access to certain group, add the group names separated by the ";" character.

image.png

To limit to user UPN suffix enter the userPrincipalName suffix